{"api_version":"1","generated_at":"2026-05-06T22:01:07+00:00","cve":"CVE-2022-22302","urls":{"html":"https://cve.report/CVE-2022-22302","api":"https://cve.report/api/cve/CVE-2022-22302.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-22302","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-22302"},"summary":{"title":"CVE-2022-22302","description":"A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.","state":"PUBLIC","assigner":"psirt@fortinet.com","published_at":"2023-07-11 09:15:00","updated_at":"2023-11-07 03:43:00"},"problem_types":["CWE-312"],"metrics":[],"references":[{"url":"https://fortiguard.com/psirt/FG-IR-20-014","name":"https://fortiguard.com/psirt/FG-IR-20-014","refsource":"MISC","tags":[],"title":"PSIRT Advisories | FortiGuard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-22302","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22302","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiauthenticator","cpe6":"5.5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiauthenticator","cpe6":"6.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"6.0.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiauthenticator","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fortinet","cpe5":"fortios","cpe6":"6.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fortinet","cpe5":"fortios","cpe6":"6.4.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"6.0.13","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fortinet","cpe5":"fortios","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22302","vulnerable":"1","versionEndIncluding":"6.2.9","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fortinet","cpe5":"fortios","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-22302","qid":"43980","title":"Fortinet FortiOS Information disclosure Vulnerability (FG-IR-20-014)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-22302","ASSIGNER":"psirt@fortinet.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information disclosure","cweId":"CWE-312"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Fortinet","product":{"product_data":[{"product_name":"FortiAuthenticator","version":{"version_data":[{"version_affected":"=","version_value":"6.1.0"},{"version_affected":"<=","version_name":"6.0.0","version_value":"6.0.4"},{"version_affected":"=","version_value":"5.5.0"}]}},{"product_name":"FortiOS","version":{"version_data":[{"version_affected":"<=","version_name":"6.4.0","version_value":"6.4.1"},{"version_affected":"<=","version_name":"6.2.0","version_value":"6.2.9"},{"version_affected":"<=","version_name":"6.0.0","version_value":"6.0.13"}]}}]}}]}},"references":{"reference_data":[{"url":"https://fortiguard.com/psirt/FG-IR-20-014","refsource":"MISC","name":"https://fortiguard.com/psirt/FG-IR-20-014"}]},"solution":[{"lang":"en","value":"Please upgrade to FortiGate version 6.4.2 or above.\r\nPlease upgrade to FortiOS version 6.2.10 or above\r\nPlease upgrade to FortiOS version 6.0.14 or above\n\r\nPlease upgrade to FortiAuthenticator version 6.2.0 or above\r\nPlease upgrade to FortiAuthenticator version 6.1.1 or above\r\nPlease upgrade to FortiAuthenticator version 6.0.5 or above\n\n\r\nWorkaround in FortiOS:\r\nDisable the FTM push service by using the below commands:\r\nconfig system ftm-push\r\nset status disable\r\nend"}],"impact":{"cvss":[{"version":"3.1","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X"}]}},"nvd":{"publishedDate":"2023-07-11 09:15:00","lastModifiedDate":"2023-11-07 03:43:00","problem_types":["CWE-312"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW"},"exploitabilityScore":1.8,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fortinet:fortios:6.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.0.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.0","versionEndIncluding":"6.2.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortiauthenticator:6.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fortinet:fortios:6.4.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortiauthenticator:5.5.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.0.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"22302","Ordinal":"224636","Title":"CVE-2022-22302","CVE":"CVE-2022-22302","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"22302","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}